Refresh of shared cryptographic keys

ABSTRACT

One of n≥2 servers, connectable via a network, implements a cryptographic protocol using a secret key K which is shared between the n servers, and includes first and second server compartments. The first is connectable to the network, adapted to implement the cryptographic protocol, and stores a current key share of the secret key K. The second is inaccessible from the network in the operation of the server, stores a set of master keys, and is adapted, for each of successive time periods, to unilaterally generate a new key share of the secret key K and to supply it to the first as the current key share for that time period. The new key share includes a random share of a predetermined value p which is shared between the n servers, and the random share includes a function of the set of master keys.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 14/877,738 filed 7 Oct. 2015, the complete disclosure of which is expressly incorporated herein by reference in its entirety for all purposes.

BACKGROUND

The present invention relates generally to refresh of shared cryptographic keys, and more specifically to refresh of a secret key which is shared between a plurality of servers for implementing a cryptographic protocol over a network.

Protecting information is essential in the digital economy. A common way to protect data is to use cryptographic algorithms to process the data in some way, but it is then necessary to protect the secret cryptographic keys which are used in such algorithms. An increasingly popular technique is to distribute (secret share) keys between a plurality of servers which can perform operations with a shared key in a distributed fashion to collectively implement some cryptographic protocol. Cryptography offers a very rich body of protocols for such operations. Sharing a secret key enhances security because more than one server must be subverted by an adversary for the key to be compromised. Some systems also offer so-called “proactive security”, whereby a secret key can be refreshed by periodically re-sharing the key among the servers. Proactive security can be realized by letting the servers engage in an interactive refresh protocol to re-compute their key shares.

SUMMARY

According to at least one embodiment of the present invention there is provided a server for operation as one of n≥2 servers, connectable via a network, to implement a cryptographic protocol using a secret key K which is shared between the n servers. The server comprises first and second server compartments. The first server compartment, which is connectable to the network and adapted to implement the cryptographic protocol, stores a current key share of the secret key K. The second server compartment, which is inaccessible from the network in said operation of the server, stores a set of master keys. The second server compartment is adapted, for each of successive time periods in said operation, to unilaterally generate a new key share of the secret key K and to supply the new key share to the first server compartment as the current key share for that time period. The new key share comprises a random share of a predetermined value p which is shared between the n servers, and the random share comprises a function of the set of master keys.

Further embodiments of the present invention provide a method for refreshing a key share at such a server, and a computer-program product for causing such a server to refresh a key share.

Embodiments of the invention will be described in more detail below, by way of illustrative and non-limiting example, with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic representation of a server system embodying the invention;

FIG. 2 is a generalized schematic of a computer in the FIG. 1 system;

FIG. 3 indicates steps performed by a server of the FIG. 1 system to refresh a key share of the server;

FIG. 4 is a schematic representation of an exemplary server implementation for the FIG. 1 system;

FIGS. 5a and 5b indicate steps performed by servers in an initialization procedure of a first embodiment;

FIG. 6 indicates steps performed by a server to refresh a key share in the first embodiment;

FIGS. 7a and 7b indicate steps performed by servers in an initialization procedure of a second embodiment; and

FIG. 8 indicates steps performed by a server to refresh a key share in the second embodiment.

DETAILED DESCRIPTION

The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.

Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.

Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.

FIG. 1 is a schematic block diagram of a server system 1 comprising a plurality n of servers 2 embodying the invention. The servers are denoted by S_(i) (1≤i≤n), where in general n≥2, and preferably n>2. For example, a typical system may comprise at least n=3 servers. (In general, higher values of n offer greater protection of cryptographic keys discussed below. The value of n can thus be selected according to security requirements for a given system). The servers S_(i), . . . , S_(n) are connectable via a network 3 (which may in general comprise one or more component networks and/or internetworks, including the Internet) to implement a cryptographic protocol using a secret key K which is shared between the n servers. The cryptographic protocol may, for instance, comprise a secret sharing scheme, a signature scheme, an encryption scheme, or a more advanced protocol such as threshold password-authenticated secret sharing scheme. However, the particular functionality of the cryptographic protocol is orthogonal to the system operation to be described.

Each server S_(i) comprises a first server compartment 4 and a second server compartment 5. The first server compartment 4 is connectable to network 3 and is operable, though communication with other servers 2 via the network, to implement the cryptographic protocol using the secret key K. To this end, the first server compartment 4 comprises protocol logic which is adapted to implement the cryptographic protocol in communication with other servers 2. The protocol logic may be implemented, in general, in hardware or software or a combination thereof. The first server compartment 4 also stores that server's current key share K_(i) of the secret key K for use in the cryptographic protocol. The second server compartment 5 is inaccessible from network 3 in operation of the cryptographic protocol. This server compartment can be protected from network 3 by hardware and/or software mechanisms which inhibit unauthorized access to the compartment from the network in operation of the protocol. Exemplary mechanisms are described below. The second server compartment 5 comprises key-management logic providing functionality detailed below for periodically refreshing the key share K_(i) stored by first server compartment 4. The key-management logic may again be implemented in hardware or software or a combination thereof. The second server compartment 5 also stores a set of master keys, denoted by {mk}_(i) in the figure, for the server S_(i). The key set {mk}_(i) may comprise one or more master keys, one or more of which may be common to one or more other servers 2. The master key set {mk}_(i) is used by the key-management logic to generate new key shares K_(i) in successive refresh operations described below.

In general, the first and second server compartments 4, 5 may be implemented by computing apparatus comprising one or more general- or special-purpose computers, each comprising one or more (real or virtual) machines, providing functionality for implementing the operations described herein. Exemplary implementations will be described further below. The protocol and key-management logic of these server compartments may be described in the general context of computer system-executable instructions, such as program modules, executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types. The computing apparatus may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

FIG. 2 is a block diagram of exemplary computing apparatus for implementing a computer of server 2. The computing apparatus is shown in the form of a general-purpose computer 10. The components of computer 10 may include processing apparatus such as one or more processors represented by processing unit 11, a system memory 12, and a bus 13 that couples various system components including system memory 12 to processing unit 11.

Bus 13 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.

Computer 10 typically includes a variety of computer readable media. Such media may be any available media that is accessible by computer 10 including volatile and non-volatile media, and removable and non-removable media. For example, system memory 12 can include computer readable media in the form of volatile memory, such as random access memory (RAM) 14 and/or cache memory 15. Computer 10 may further include other removable/non-removable, volatile/non-volatile computer system storage media. By way of example only, storage system 16 can be provided for reading from and writing to a non-removable, non-volatile magnetic medium (commonly called a “hard drive”). Although not shown, a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”), and an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media can also be provided. In such instances, each can be connected to bus 13 by one or more data media interfaces.

Memory 12 may include at least one program product having one or more program modules that are configured to carry out functions of embodiments of the invention. By way of example, program/utility 17, having a set (at least one) of program modules 18, may be stored in memory 12, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating system, one or more application programs, other program modules, and program data, or some combination thereof, may include an implementation of a networking environment. Program modules 18 generally carry out the functions and/or methodologies of embodiments of the invention as described herein.

Computer 10 may also communicate with: one or more external devices 19 such as a keyboard, a pointing device, a display 20, etc.; one or more devices that enable a user to interact with computer 10; and/or any devices (e.g., network card, modem, etc.) that enable computer 10 to communicate with one or more other computing devices. Such communication can occur via Input/Output (I/O) interfaces 21. Also, computer 10 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter 22. As depicted, network adapter 22 communicates with the other components of computer 10 via bus 13. It should be understood that although not shown, other hardware and/or software components could be used in conjunction with computer 10. Examples include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc.

In operation of system 1, the servers S_(i) communicate via network 3 to implement the cryptographic protocol in which the key shares K_(i) of a plurality of the servers can be combined to reconstruct the secret key K for the protocol. Proactive security is provided by operation of the second server compartments 5 of the servers. In particular, through operation of the key-management logic, the second server compartment 5 of each server is adapted, for each of successive time periods in operation of the cryptographic protocol, to unilaterally generate a new key share of the secret key K, and to supply the new key share to the first server compartment 4 as the current key share K_(i) for that time period. The time periods, or “epochs”, for which the key shares are refreshed may be defined in various ways in the system. For example, the refresh operation may be performed automatically for epochs of a predetermined duration, and/or a new epoch may be initiated in response to detection of an attack on system 1. FIG. 3 gives an overview of the main steps performed by the second server compartment 5 in the refresh operation for a new epoch.

In a first step, step 30, of the refresh operation, the key-management logic retrieves the set of master keys {mk}_(i) from its location in memory operatively associated with the second server compartment 5. In step 31, the key-management logic computes a random share δ_(i) of a predetermined value p which is shared between the n servers 2 of the system. This random share δ_(i) comprises a function of the set of master keys {mk}_(i). In step 32, the key-management logic uses the random share δ_(i) to generate a new key share K_(i) for the new epoch. In step 33, the key-management logic supplies the new key share to the first server compartment 4. The new key share, which is stored in memory operatively associated with the first server compartment, becomes the server's current key share K_(i) for the new epoch.

Through use of the master keys in this way in the second server compartment, each server S_(i) can unilaterally generate new key shares in operation, whereby proactive security is achieved without requiring communication between servers for the key refresh process. Security of the key refresh procedure can be assured even if a server has been compromised in the previous epoch. This provides a significant advantage over prior systems with interactive key refresh processes. In those systems, it is not clear how the communication between servers can be secured if all of a server's keys may have been compromised during the previous epoch: an adversary may be privy to all keys and therefore able to impersonate the server.

The master key sets {mk}_(i) and initial key shares K_(i) for servers 2 may be provided in an initialization operation of the system. This initialization might be performed in various ways. For example, the master keys {mk}_(i) could be generated independently, e.g. by a system controller, and communicated to individual servers S_(i) via some secure message transmission functionality F_(smt). In embodiments described below, one dedicated server, e.g. server S_(i), generates all master key sets {mk}_(i) which are then communicated to other servers via the secure message transmission functionality F_(smt). This communication may, for example, be implemented by writing the initialization data to a physical medium (such as a USB drive, disc, etc.) which is distributed to server locations by courier and loaded to the servers by an operator. In preferred embodiments below, master keys may even be short enough to be written on paper and entered manually to the servers. Alternatively, for example, the message transmission functionality F_(smt) may comprise a secure transmission channel established via a standard security protocol such as TLS (Transport Security Layer) or SSL (Secure Sockets Layer). While the initialization data could include the initial key shares K_(i), in preferred embodiments these initial shares can be generated by the second server compartments 5 as demonstrated by examples below.

Operation of preferred embodiments will now be described in detail with reference to FIGS. 4 through 8. In these examples, n>2 servers S_(i) are assumed to communicate via the Internet to implement the cryptographic protocol using shared key K. FIG. 4 illustrates a preferred implementation for each server S_(i) of the system. In the server 30 of this example, the first server compartment 31 comprises a virtual machine 32, denoted by SC1 _(i) ^((ε)) (where ε=0, 1, 2, etc., indicates epoch number), running on a cloud computing 2) platform 33. A fresh virtual machine SC1 _(i) ⁽⁰⁾, SC1 _(i) ⁽¹⁾, SC1 _(i) ⁽²⁾, etc., is initiated on platform 33 for each of successive epochs ε=0, 1, 2, . . . , in operation. Cloud platform 33 may in general comprise one or more computers each supporting one or more virtual machines. In a typical implementation, the cloud platform 33 can be realized by a single physical machine or a cluster of physical machines. The second server compartment 34, denoted by SC2 _(i), comprises a single physical machine in this embodiment. This machine is connected only to the cloud software platform, and such connections can be physically isolated from the network (here the Internet) via which the virtual machines 32 communicate. In particular, the virtual machines) SC1 _(i) ⁽⁰⁾, SC1 _(i) ⁽¹⁾, . . . , SC1 _(i) ^((ε)), . . . , are exposed to the Internet, while the cloud platform 33 and second compartment SC2 _(i) are run in a protected environment (the “de-militarized zone”), i.e. behind one or more firewalls deployed in the cloud platform. The second compartment SC2 _(i) is thus inaccessible from the Internet in normal operation of the cryptographic protocol, and is therefore protected from unauthorized Internet access. (Authorized access may of course be possible if required, e.g. for setup purposes prior to operation).

With the implementation of FIG. 4, server 30 can exploit inherent features of modern cloud computing platforms such as, for instance, the Openstack platform. Such platforms offer strong separation between the virtual machines that are exposed to the Internet, and are thus subject to attacks, and the cloud management interfaces that run in the demilitarized zone. New virtual machines can be created on the fly from images, machines can be shut down, and the routing of traffic to machines be dynamically configured. The platforms can also virtualize the storage for the virtual machines, offering different kinds of abstraction of hard-disks (such as file system, block store, object store, etc.). System setup can be managed as a manual process via a web interface in the de-militarized zone. However, system management operations can easily be automated with scripts to replace manual interaction with software-based control.

In operation of the (n>2)-server system, the n virtual machines SC1 _(i) ^((ε)) implementing first server compartments 31 communicate to implement a threshold cryptographic protocol. Such a protocol allows n servers to perform some cryptographic functionality in such a way that, as long as strictly less than a threshold number t≤n of the servers are corrupted, the functionality remains secure. Time is divided into epochs separated by key refresh procedures performed by the servers. The protocol must remain secure as long as less than t servers are corrupted in each epoch, but the set of corrupted servers may change from epoch to epoch. For each epoch E, a fresh virtual machine SC1 _(i) ^((ε)) is set up, booted, and run on the cloud platform 33 at each server. These machines SC1 _(i) ^((ε)) run the account creation and login request procedures of threshold cryptographic protocol, and read and write their states from the virtual storage provided to them by cloud platform 33. The second compartment SC2 _(i) of each server 30 controls the cloud platform 33, maintains the images for the virtual machines SC1 _(i) ^((ε)), and prepares the state (stored operating data) that is given to each SC1 _(i) ^((ε)) in order for it to run the account creation and login request protocols. The state for each SC1 _(i) ^((ε)) is generated as a result of initialization and refresh procedures of the key management scheme in servers 30. Examples of these procedures are described for two embodiments below.

In a first embodiment, the key management scheme is based on pairwise shared secrets using pseudorandom functions. This scheme works for n-out-of-n threshold schemes, i.e., where t=n and security is preserved as long as not all of the servers are corrupted during the same epoch. Some preliminaries are described below to assist understanding of the embodiment to follow.

Pseudo-Random Functions.

A pseudo-random function (PRF) is a function PRF:

×

→

, where no polynomial-time adversary can distinguish an instantiation of PRF with a random key from a truly random function. The advantage Adv_(A,PRF) ^(pr)(κ) of an adversary A is defined as |Pr[1=A^(PRF(K,⋅)): K←_(R)κ]−Pr[1=A^($(⋅))]|, where $(⋅) is an oracle that implements a truly random function

→

.

Combinatorial Secret Sharing.

Let

be an additive group. A straightforward way to secret-share a secret key K ϵ

among servers S₁, . . . , S_(n) is to choose random key shares K₂, . . . , K_(n)←_(R)

and set K₁←K−Σ_(i=2) ^(n)K_(i). Each server S_(i) is given a key share K_(i). To reconstruct K, they recompute K←Σ_(i=1) ^(n)K_(i). The key shares can be refreshed by letting each server S_(i) add a random share δ_(i) of a predetermined value p, where conveniently p=0, to their key share K_(i). For example, S₁ could choose δ₂, . . . , δ_(n)←_(R)

, compute δ₁←−Σ_(i=2) ^(n) δ_(i), and send δ_(i) to S_(i).

An observation underlying the embodiment below is that the same shares δ₁, . . . , δ_(n) can be computed in a different way, by choosing s_({i,j})←_(R)

for all 1≤i<j≤n and handing (S_({i,j}))_(j=1,j≠i) ^(n) to S_(i) for i=1, . . . , n. Note that there is a share s_({i,j}) for each pair of servers {S_(i), S_(j)}, and that this share is known only to S_(i) and S_(j). Server S_(i) can then compute its share of zero δ_(i)←Σ_(j=1) ^(n)Δ_(i,j)·s_({i,j}), where “·” represents multiplication and

Δ_(i,j)=1 if i<j

Δ_(i,j)=0 if i=j

Δ_(i,j)=−1 if i>j

One can easily see that

$\begin{matrix} {{\Sigma_{i = 1}^{n}\delta_{i}} = {\Sigma_{i = 1}^{n}\Sigma_{j = 1}^{n}{\Delta_{i,j} \cdot s_{\{{i,j}\}}}}} \\ {= {\Sigma_{i = 1}^{n}j\; {\Sigma_{j = {i + 1}}^{n}\left( {s_{\{{i,j}\}} - s_{\{{i,j}\}}} \right)}}} \\ {= 0} \end{matrix}.$

The embodiment below exploits this technique for generating the shares δ₁, . . . , δ_(n) to enable servers 30 to non-interactively generate arbitrarily many shares of p=0 by letting s_({i,j}) be generated pseudorandomly from a master key that is known only to servers S_(i) and S_(j).

FIGS. 5a and 5b indicate the initialization procedure of the first embodiment, and FIG. 6 indicates the key refresh procedure. One dedicated server, here S₁, performs the initialization steps indicated in FIG. 5a . In this process, the second server compartment SC2 ₁ of server S₁, generates and distributes a set of master keys {mk}_(i) for all servers S₁, . . . , S_(n) in the system. It also generates a joint secret key K and uses its master keys {mk}₁ to compute its own initial key share K₁ of K. This key share K₁ forms part of the initial state st₁ of the first server compartment SC1 ₁ of S₁. The master keys for S₁ form part of the stored data backup₁ held in memory of second server compartment SC2 ₁.

Let PRF: {0,1}^(κ)×

→

be a pseudorandom function, where κϵ

is a security parameter (typically, κ=128). In step 40 of FIG. 5a , second server compartment SC2 ₁ generates the master keys for each server S_(i) as follows:

for all 1≤i<j≤n, choose master keys mk_({i,j})←_(R){0,1}^(κ).

The set of master keys {mk}_(i)=(mk_({i,j}))_(j=1,j≠i) ^(n) for server S_(i) thus comprises respective master keys common to each of the (n−1) other servers, mk_(i,j) being the master key common to the j^(th) server of the (n−1) other servers (1≤j≤n, j≠i).

In step 41, compartment SC2 ₁ generates the protocol key K to be distributed between the n servers, and initializes a variable epoch which takes a value indicative of the epoch count ε here:

choose K← _(R)

; set epoch←0.

In step 42, compartment SC2 ₁ generates the server S₁'s random share of the predetermined value p, where p=0 here for simplicity:

compute δ₁←Σ_(j=2) ^(n)PRF(mk _({1,j}),epoch)mod q,

where Δ_(i,j)=1 here since i=1, and q is a predetermined security parameter for the n servers.

In step 43, SC2 ₁ generates the initial key share K₁ for server S₁ by setting K₁←K+δ₁. Step 44, indicated by dashed lines in the figure, indicates an optional step discussed further below.

In step 45, SC2 ₁ stores its backup data backup₁ as follows:

backup₁←(epoch,K ₁,(mk _({1,j}))_(j=2) ^(n)).

In step 46, SC2 ₁ supplies the initial key share K₁ to the first server compartment SC1 ₁ as part of the state st₁:

set initial state of SC1₁ to st ₁=(epoch,K ₁).

In step 47, the sets of master keys {mk}_(i)=(mk_({i,j}))_(j=1,j≠i) ^(n) for the other servers S_(i) (i=2 to n) are securely distributed to the servers 30 via the secure message transmission functionality F_(smt) discussed above. The initialization process for server S₁ is then complete.

FIG. 5b indicates the initialization procedure for each of the other servers S_(i) ϵ{S₂, . . . , S_(n)} of the system. In this process, the server S_(i) receives and stores its set of master keys {mk}_(i) in memory of second server compartment SC2 _(i), and generates its initial key share K_(i) of the key K. This key share K_(i) forms part of the initial state st_(i) of the first server compartment SC1 _(i) of S_(i).

In step 50, the second server compartment SC2 _(i) receives its set of master keys {mk}_(i)=(mk_({i,j}))_(j=1,j≠i) ^(n) via F_(smt). In step 51, SC2 _(i) initializes the variable epoch:

set epoch←0.

In step 52, compartment SC2 _(i) generates server S_(i)'s random share of p=0:

compute δ_(i)←Σ_(j=1,j≠i) ^(n)Δ_(i,j)PRF(mk _({i,j}),epoch)mod q,

where Δ_(i,j) is as defined earlier, i.e.:

Δ_(i,j)=1 if i<j

Δ_(i,j)=0 if i=j

Δ_(i,j)=−1 if i>j

In step 53, SC2 _(i) generates the initial key share K_(i) for S_(i) as K_(i)←δ_(i). Step 54 again indicates an optional step described later.

In step 55, SC2 _(i) stores its backup data backup_(i) in memory of second server compartment SC2 _(i):

backup_(i)←(epoch,K _(i),(mk _({i,j}))_(j=1,j≠i) ^(n)).

In step 56, SC2 _(i) supplies the initial key share K_(i) to the first server compartment SC1 _(i) as part of the state st_(i):

set initial state of SC1_(i) to st _(i)=(epoch,K _(i)).

The initialization process for server S_(i) is then complete.

After initialization of the n servers as described above, the servers can communicate via the Internet to implement the threshold cryptographic protocol. For each successive epoch in this operation, the second server compartment SC2 _(i) of each server unilaterally generates a new key share K_(i) for that server via the key-refresh process of FIG. 6. In step 60 of this process, the second server compartment SC2 _(i) retrieves its backup data from memory:

recover backup_(i)←(epoch,K _(i),(mk _({i,j}))_(j=1,j≠i) ^(n))

In step 61, SC2 _(i) updates the epoch count for the new epoch:

set epoch←epoch+1.

In step 62, SC2 _(i) computes a new random share δ_(i) of p=0 for server S_(i):

compute δ_(i)←Σ_(j=1,j≠i) ^(n)Δ_(i,j)PRF(mk _({i,j}),epoch)mod q.

The random share δ_(i) thus comprises a combination of pseudorandom functions of respective master keys mk_({i,j}).

In step 63, SC2 _(i) generates a new key share for S_(i) as a combination (in this example a sum) of the current key share K_(i) (stored in backup_(i) for the previous epoch) and the new random share δ_(i):

set new key share K _(i)←current key share K _(i)+δ_(i).

Step 64 again indicates an optional step described later. In step 65, SC2 _(i) stores new backup data backup_(i) in memory:

backup_(i)←(epoch,K _(i),(mk _({i,j}))_(j=1,j≠i) ^(n)).

In step 66, SC2 _(i) supplies the new key share K_(i) to the first server compartment SC1 _(i) as part of the state st_(i) for the new epoch:

set new state of SC1_(i) to st _(i)=(epoch,K _(i)).

The new key share K_(i) thus becomes the server's current key share for the new epoch, and the key refresh process is complete.

The above scheme allows key shares to be unilaterally refreshed by each server, with refresh raking place in a secure environment provided by the second server compartment with access to trusted backup data. Use of a fresh virtual machine for the first server compartment in each epoch conveniently eliminates any contamination of the first compartment due to server compromise in the preceding epoch. The system remains secure provided that not all n servers in the system are compromised in the same epoch. An additional advantage of this embodiment is that communication keys used by servers 30 to communicate for the threshold cryptographic protocol can be refreshed via the technique for generating the shares s_({i,j}) in the above scheme. The communication keys are typically symmetric keys known to respective pairs of servers in the system. The communication key for a pair of servers {S_(i), S_(i)} is thus analogous to the master key mk_(i,j) common to those servers in the above system. Such a key can therefore be unilaterally refreshed by each server S_(i), S_(j) in the same way as the shares s_({i,j}) above, i.e. as:

s _(i,j)=PRF(mk _(i,j),epoch)mod q,

where mk_(i,j) signifies the communication key for servers S_(i), S_(j) in this context, and s_(i,j) is the refreshed key.

A modification to the above embodiment can additionally provide so-called “forward security” in the system. That is, even if the backup data backup_(i) of a server S_(i) were to leak, then the adversary would still be unable to recompute all S_(i)'s past key shares. This is achieved by addition of the optional steps 44, 54 and 64 in FIGS. 5a, 5b and 6. In these steps, the second server compartment SC2 _(i) updates each master key mk_(ij) for each new epoch, the updated master key comprising a one-way function of that master key mk_(ij) for the preceding epoch.

More specifically, let OWF: {0,1}^(κ)→{0,1}^(κ) be a one-way function, i.e., given y=OWF(x) for a random x←_(R){0,1}^(κ), it is hard to compute x′ such that y=OWF(x′). The initialization and refresh procedures proceed as before, but in the appropriate step 44, 54 or 64 of each process, SC2 _(i) updates the master keys to:

updated master keys mk _({i,j})←OWF(current master keys mk _({i,j})).

The updated master keys mk_({i,j}) are then stored as part of backup_(i) as before.

A second key management scheme for use in servers 30 is described in the following. This construction is based software obfuscation and works for t-out-of-n threshold schemes where the servers' shares are computed as the evaluations of a random polynomial of degree t−1. As is well known in the art, code obfuscation is a tool that renders executable software code “unintelligible”, in the sense that the internal structure and data of the code can no longer be inspected, while preserving the functionality of the code. Many heuristic approaches to code obfuscation techniques exist, some examples being described in “Watermarking, tamper-proofing, and obfuscation-tools for software protection”, Collberg and Thomborson, IEEE Transactions on Software Engineering, 28(8):735-746, 2002 and references therein. As another example, “Candidate indistinguishability obfuscation and functional encryption for all circuits”, Garg et al., 54th FOCS, pages 40-49, IEEE Computer Society Press, October 2013, shows how a weak form of obfuscation can be achieved cryptographically. Some preliminaries for the second scheme are as follows.

Shamir's Secret Sharing.

To share a secret key Kϵ

among a set of servers S₁, . . . , S_(n) so that any subset of size t can recover K, Shamir suggested the following approach that underlies almost all practical t-out-of-n threshold cryptography schemes. The dealer (e.g., S₁) chooses a random polynomial f(x) of degree t−1 such that f(0)=K, for example, by choosing random coefficients a₁, . . . , a_(t-1)←_(R)

and letting f(x)=K+a₁x+ . . . +a_(t-1)x^(t-1). The dealer hands S_(i) its key share K_(i)=f(i). Given t different points (i, K_(i)) of the polynomial for S_(i) ⊆{1, . . . , n}, #S=t, one can use Lagrange interpolation to reconstruct the polynomial as

${f(x)} = {\sum\limits_{i \in S}{\prod\limits_{j \in {S\backslash {\{ i\}}}}{\frac{x - j}{i - j}K_{i}}}}$

and therefore recompute the key K=f(0) as K=Σ_(iϵS)λ_(S,i)K_(i) where Δ_(S,i) are the Lagrange coefficients λ_(S,i)=Π_(jϵS\{i})j(j−i).

Obfuscation.

An obfuscation scheme O for a family of circuit classes {C_(κ)} is an algorithm Obf that, on input of security parameter κ and a circuit C, generates an obfuscated circuit {tilde over (C)}←Obf (1^(κ), C). The obfuscated circuit {tilde over (C)} has the same functionality as C, meaning that for all κϵ

, for all circuits CϵC_(κ), and for all inputs x we have that

Pr[{tilde over (C)}(x)=C(x): {tilde over (C)}Obf(1^(κ) ,C)]=1

(or almost 1, for a slightly weaker constraint). Without making any formal security statements, the obfuscation scheme is such that the obfuscated circuit {tilde over (C)} does not reveal any information about the internal structure of C.

In the following scheme, let PRF: {0,1}^(κ)×

→

be a pseudorandom function and let Obf be an obfuscation algorithm. FIGS. 7a and 7b indicate the initialization procedure of this embodiment, and FIG. 8 indicates the key refresh procedure. FIG. 7a indicates the initialization process in one dedicated server, here server S₁. In this process, the second server compartment SC2 ₁ of S₁ generates a joint secret key K and distributes obfuscated circuits that generate and evaluate a new random polynomial at each epoch.

In step 70 of FIG. 7a , second server compartment SC2 ₁ generates a master key mk and initializes the variable epoch:

choose master mk← _(R){0,1}^(κ); set epoch←0.

The set of master keys {mk}_(i) in this embodiment thus comprises the single master key mk.

In step 71, SC2 ₁ generates the joint secret key K by choosing K←_(R)

.

In step 72, SC2 ₁ generates obfuscated circuits {tilde over (C)}_(i) for each server S_(i):

For i=1, . . . , n, generate an obfuscated circuit {tilde over (C)}_(i) that evaluates the following program:

Program C_(i) (epoch):

for j=1, . . . ,t−1 let a _(j)=PRF(mk,epoch*(n+i)(t+j))

let f(x)=a ₁ x+ . . . +a _(t-1) x ^(t-1)

return δ_(i) =f(i)

where * represents multiplication here. Note that the master key mk and the index i are embedded the circuit C_(i), while the epoch number is taken as input. Each obfuscated circuit {tilde over (C)}_(i) thus evaluates a random polynomial of degree t−1 (t≤n) having coefficients a₁, . . . , a_(t-1) comprising respective pseudorandom functions of the master key mk. The obfuscated circuit computes the random share δ_(i) of predetermined value p (where p=0 in this example) which is shared between the n servers.

In step 73, SC2 ₁ evaluates the obfuscated circuit {tilde over (C)}_(l) to obtain its random share δ₁ for epoch=0:

evaluate δ₁ ={tilde over (C)} ₁(0).

In step 74, SC2 ₁ generates the initial key share K₁ for server S₁ by setting K₁←K+δ₁.

In step 75, SC2 ₁ stores its backup data backup₁ as follows:

store backup₁←(epoch,K ₁ ,{tilde over (C)} ₁).

In step 76, SC2 ₁ supplies the initial key share K₁ to the first server compartment SC1 ₁ as part of the state st₁:

set the initial state of SC1₁ to st ₁←(epoch,K ₁).

In step 77, the obfuscated circuits {tilde over (C)}_(i) for the other servers S_(i) (i=2 to n) are securely distributed to the servers 30 via the secure message transmission functionality F_(smt). The initialization process for S₁ is then complete.

FIG. 7b indicates the initialization procedure for each of the other servers S_(i) ϵ{S₂, . . . , S_(n)} of the system. In this process, the server S_(i) receives and stores its obfuscated circuit {tilde over (C)}_(i), with embedded master key mk, and generates its initial key share K_(i) of the key K.

In step 80 of FIG. 7b , the second server compartment SC2 _(i) receives obfuscated circuit {tilde over (C)}_(i) from S₁ via F_(smt). In step 81, SC2 _(i) initializes the variable epoch:

set epoch←0.

In step 82, SC2 _(i) evaluates the obfuscated circuits {tilde over (C)}_(i) to obtain its random share δ_(i) for epoch=0:

evaluate δ_(i) ={tilde over (C)} _(i)(0).

In step 83, SC2 _(i) generates the initial key share K_(i) for server S_(i) by setting K_(i)←δ_(i).

In step 84, SC2 _(i) stores its backup data backup_(i) as follows:

store backup_(i)←(epoch,K _(i) ,{tilde over (C)} _(i)).

In step 85, SC2 _(i) supplies the initial key share K_(i) to the first server compartment SC1 _(i) as part of the state st_(i):

set the initial state of SC1_(i) to st _(i)←(epoch,K _(i)).

The initialization process for S_(i) is then complete.

FIG. 8 indicates the key refresh process performed by servers 30 for each new epoch in subsequent operation of the threshold cryptographic protocol. In step 90 of this process, the second server compartment SC2 _(i) retrieves its backup data from memory:

recover backup_(i)←(epoch,K _(i) ,{tilde over (C)} _(i)).

In step 91, SC2 _(i) updates the epoch count for the new epoch:

set epoch←epoch+1.

In step 92, SC2 _(i) computes a new random share δ_(i) by evaluating its obfuscated circuit for the new epoch:

evaluate δ_(i) ={tilde over (C)} _(i)(epoch).

In step 93, SC2 _(i) generates a new key share for S_(i) as a combination (here a sum) of the current key share K_(i) (stored in backup_(i) for the previous epoch) and the new random share δ_(i):

set new key share K _(i)←current key share K _(i)+δ_(i).

In step 94, SC2 _(i) updates its backup data backup_(i) as follows:

store backup_(i)←(epoch,K _(i) ,{tilde over (C)} _(i)).

In step 95, SC2 _(i) supplies the new key share K_(i) to the first server compartment SC1 _(i) as part of the state st_(i) for the new epoch:

set new state of SC1_(i) to st _(i)←(epoch,K _(i)).

The new key share K_(i) thus becomes the server's current key share for the new epoch, and the key refresh process is complete.

As with the first embodiment, the above scheme permits secure refresh of key-shares without communication between the servers. The system remains secure provided that less than t servers are compromised in the same epoch. In a modification to this embodiment, forward security can also be provided to prevent compromise of the backup data backup_(i) resulting in leakage of a server S_(i)'s past key shares. This is achieved by causing the obfuscated circuit {tilde over (C)}_(i) to produce as part of its output a new obfuscated circuit {tilde over (C)}_(i)′ that will only generate shares for epochs after the current one. That is, the obfuscated circuit {tilde over (C)}_(i) stored for each epoch further generates an updated obfuscated circuit, operable only for subsequent epochs, for computing the random share δ_(i). The updated obfuscated circuit is then stored as the obfuscated circuit for the next epoch.

More precisely, let the obfuscated circuit {tilde over (C)}_(i) in the above scheme evaluate the following program:

Program C_(i,curr)(epoch):

if epoch≤curr then abort

for j=1, . . . ,t−1 let a _(j)=PRF(mk,epoch*(n+i)(t+j))

let f(x)=a ₁ x+ . . . +a _(t-1) x ^(t-1)

generate {tilde over (C)} _(i) ′=Obf(C _(i,curr))

return(δ_(i) =f(i),{tilde over (C)} _(i)′).

Note that a current epoch value curr is hardcoded into the circuit. The obfuscated circuit outputs an updated obfuscated circuit {tilde over (C)}_(i)′ in which curr is set to the current value of epoch, i.e. the epoch in which {tilde over (C)}_(i)′ is produced. The updated obfuscated circuit {tilde over (C)}_(i)′ is then stored as part of backup_(i) (steps 75, 84 and 94 in the figures) and becomes the new obfuscated circuit for the next epoch (of value curr+1). The obfuscated circuit therefore cannot be run for inputs epoch corresponding to previous epochs. At initialization, S₁ generates and distributes obfuscations of C_(i,0). At each refresh, S_(i) replaces {tilde over (C)}_(i) in its backup with the updated obfuscated circuit {tilde over (C)}_(i)′.

It will of course be appreciated that many other changes and modifications can be made to the exemplary embodiments above. For example, the above schemes can be modified to accommodate a shared value p which is a constant other than zero. Also, new key shares may be based on combinations other than a simple sum of the random shares δ_(i) and current key shares K_(i). While constructions based on additive groups have been described, these constructions can be readily adapted to other groups, such as multiplicative groups. Various other server implementations can also be envisaged. For example, the data (master keys, etc.) generated by S₁ in the above schemes could be written to a secure device such as a smart card, HSM (Hardware Security Module), TPM (Trusted Platform Module) or similar device which is then distributed to the other servers. This device may then also implement the required functionality of the second server compartment SC2 _(i). Embodiments might also be envisaged where the second server compartment SC2 _(i) is implemented by a hypervisor controlling operation of one or more virtual machines providing the first server compartment SC1 _(i).

The descriptions of the various embodiments of the present invention have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein. 

What is claimed is:
 1. A server for operation as one of n≥2 servers and implementing a cryptographic protocol using a secret key K which is shared between the n servers, the server comprising: a network adapter coupling the server to a network including the n servers; a first server compartment which implements the cryptographic protocol in communication with at least another server of the n servers, and which stores a current key share of the secret key K; and a second server compartment, which is inaccessible from the network in operation of the server, and which stores a set of master keys; the second server compartment, for each of successive time periods in the operation of the server, unilaterally generating a new key share of the secret key K and supplying the new key share to the first server compartment as the current key share, wherein the new key share comprises a random share of a predetermined value p which is shared between the n servers, and the random share comprises a function of the set of master keys.
 2. The server as claimed in claim 1 wherein the second server compartment stores the current key share for each time period of the successive time periods and the new key share for each time period comprises a combination of the current key share for an immediately previous one of the successive time periods and the random share.
 3. The server as claimed in claim 1 wherein n>2 and the set of master keys comprises respective master keys common to each of the servers other than the server, and wherein the random share comprises combination of pseudorandom functions of respective master keys.
 4. The server as claimed in claim 3 wherein the server is the i^(th) server (1≤i≤n) of the n servers and the random share is given by: $\delta_{i} = {\sum\limits_{{j = 1},{j \neq i}}^{n}\; {\Delta_{i,j}{{PRF}\left( {{mk}_{\{{i,j}\}},{epoch}} \right)}{mod}\mspace{14mu} q}}$ where Δ_(i,j)=1 if i<j Δ_(i,j)=0 if i=j Δ_(i,j)=−1 if i>j and where: δ_(i) is the random share; PRF is a pseudorandom function; mk_(i,j) is the master key common to the j^(th) server of the servers (1≤j≤n, j≠i); epoch is a value indicative of a time period; and q is a security parameter for the n servers.
 5. The server as claimed in claim 4 wherein the second server compartment stores the current key share for each time period of the successive time periods and the new key share for each time period comprises a sum of the current key share for an immediately previous time period and the random share δ_(i).
 6. The server as claimed in claim 4 wherein the second server compartment is adapted to generate an updated master key mk_(ij) for each of the successive time periods, each of the updated master keys comprising a one-way function of a preceding master key mk_(ij) generated for an immediately preceding time period in the successive time periods.
 7. The server as claimed in claim 1 wherein the first server compartment comprises a virtual machine on a cloud computing platform.
 8. The server as claimed in claim 7 wherein the first server compartment comprises a fresh virtual machine for each time period of the successive time periods.
 9. The server as claimed in claim 1 wherein the predetermined value p=0.
 10. A server system having n≥2 servers, implementing a cryptographic protocol using a secret key K which is shared between then servers, wherein each server comprises: a network adapter coupling the server to a network including the n servers; a first server compartment, which implements the cryptographic protocol, and which stores a current key share of the secret key K; and a second server compartment, inaccessible from the network in operation of the server, which stores a set of master keys; the second server compartment being adapted, for each of successive time periods in the operation of the server, to unilaterally generate a new key share of the secret key K and to supply the new key share to the first server compartment as the current key share, wherein the new key share comprises a random share of a predetermined value p which is shared between then servers, and the random share comprises a function of the set of master keys.
 11. A method for refreshing a key share of a secret key K, which is shared between n≥2 servers for use in a cryptographic protocol, the method comprising, at a server of the servers: providing a network adapter coupling the server to a network including the n servers; providing a first server compartment, which implements the cryptographic protocol, and which stores a current key share of the secret key K; providing a second server compartment, inaccessible from the network in operation of the cryptographic protocol, which stores a set of master keys; and at the second server compartment, for each of successive time periods in operation of the cryptographic protocol, unilaterally generating a new key share of the secret key K and supplying the new key share to the first server compartment as the current key share, wherein the new key share comprises a random share of a predetermined value p which is shared between then servers, and the random share comprises a function of the set of master keys.
 12. A computer program product for refreshing a key share of a secret key K, which is shared between n≥2 servers for use in a cryptographic protocol, the computer program product comprising a computer readable storage medium having program instructions embodied therein, the program instructions being executable by a server of the servers, the server having a network adapter coupling the server to a network including the n servers, a first server compartment, which implements the cryptographic protocol, and which stores a current key share of the secret key K, and a second server compartment, inaccessible from the network in operation of the cryptographic protocol, which stores a set of master keys, the program instructions being executable to cause the second server compartment to: unilaterally generate, for each of successive time periods in operation of the cryptographic protocol, a new key share of the secret key K; and supply the new key share to the first server compartment as the current key share; wherein the new key share comprises a random share of a predetermined value p which is shared between the n servers, and the random share comprises a function of the set of master keys. 